European Union


2518864-8236474736-tombsWithout adding to the excitement and dismay rippling across the EU and the US concerning this verdict I thought I’d post a few articles written by privacy experts on IAPP on what they think. They are easy reading and informative. Have fun, the opinions are mixed as you will find out!

https://iapp.org/news/a/schrems-v-data-protection-commissioner-just-got-a-lot-more-interesting/

https://iapp.org/news/a/how-max-schrems-scored-an-own-goal-by-toppling-safe-harbor/

https://iapp.org/news/a/with-safe-harbor-invalid-whats-next-for-privacy-pros/

https://iapp.org/news/a/finding-a-safe-harbor-for-safe-harbor/

https://iapp.org/news/a/bcrs-looking-attractive-after-ag-opinion-on-safe-harbor-heres-some-help/

I was having lunch with an old colleague today who was convinced that the new EU Regulation due to come effective in 2015 or 2016 was going to change everything! What’s more nothing is decided, so everything is floating in the air….

Don’t panic. First the EU Regulation will be based on a foundation of what exists today, i.e. the Directive. The problem with the Directive is that it is not enforced effectively in member states, and the local laws are not a direct interpretation of the Directive. For example each country has interpreted the laws as they understand the directive…now just think about the language challenges, cultural challenges. Each country has their own interpretation of the Directive. What is more is that each member state may have legislation that has been around for a long time that has priority over any data protection law that is enacted, this creates all sorts of issues. For example in Sweden the personal ids of citizens are considered as public records, so they are not protected by the data protection law.

When it comes to enforcement and fines for misalignment with the Directive, some member states have been more active than others. Now this will change with the new Regulation.

Clearly there are aspects that we don’t know. Basically the member states cannot come to an agreement. However what you should focus on is what we know, and that is the incumbent Directive. Use that is your baseline, leave the unknown aspects until later. Believe me you have enough work already!

I want to know how much you earn because you are applying for a job with my company and I want to check what your present employer thinks you are worth.

extrakollpng

This is easy to do in Sweden, and you as the data subject have no idea that this has happened. It is possible for any person to go online and request anonymously your earnings for 2 completed tax years in Sweden at http://www.extrakoll.se/, and the requester to get the information by SMS.

How do you do this is:

  1. Visit www.extrakoll.se and search for the name of the individual you are investigating;
  2. Then you will be requested to send an SMS to number 72323 with word INKOMST+code or/and STORKOLL+code;
  3. You are given choices of payment methods, 20kr or 40kr, depending on which option you choose;
  4. The earnings for the targeted person for 2 of the previously reported tax years will be sent to your mobile telephone!

There is no way you can prevent others from requesting this information on yourself.

Nevertheless, it is against the EU Directive on Data Protection because you, the data subject are not informed that this information has been requested, and your Personal Identifying Information (PII) is public domain. I am sure identity thieves find extrakoll.se a useful tool to research their victims. I just hope it’s not you!

64 thousand Swedish identities were hijacked in 2013. Population of Sweden is today around 9,5 million. This means that the crime of identity fraud impacted around 0,8 percent of the Swedish population.

“So what, that’s nothing?” You are thinking….

Nevertheless this is almost 1 in a 100 of Swedish residents who have been a victim to identity fraud in 2013 alone. Hence Sweden is not exempt from the growing trend of identity fraud globally.

However in Sweden it’s going to increase exponentially if Swedish law is not changed. What we can expect is that subsequent years will welcome an influx of fresh victims; that could be you if you are one of the 9.5 million residents or/and citizens of Sweden, your friends, or even your children.

Identity fraud in Sweden will increase exponentially if Swedish law is not changed!

identity-theftFirst a little history on how we got to where we are. Sweden is one of the few countries globally that is organized enough to have implemented a comprehensive personal identity numbering scheme. It was first introduced in 1947 and was probably the first of its kind globally that included every Swedish resident. Unfortunately, the fact that Swedish identities are organized with the use of a uniform identifier, i.e. YYMMDD-xxxx (YYMMDD = date of birth) makes their personal id much more vulnerable to hacking and fraud than a more random generated id. It is easy for an identity fraudster to work out a Swedish identity number using some simple data mining techniques.

For those of you that want a quick summary of how the Swedish ID number is created… here we go..

1. The personal identity number consists of 10 digits and a hyphen.
2. The first six correspond to the person’s birthday, in YYMMDD form.
3. They are followed by a hyphen.
4. The seventh through ninth are a serial number.
5. An odd ninth number is assigned to males, and an even ninth number is assigned to females.
7. The tenth digit is a checksum which was introduced in 1967 when the system was computerised.

Up to 1990, the seventh and eighth digits were correlated with the county where the bearer of the number was born or (if born before 1947) where he/she had been living, according to tax records, on January 1, 1947, with a special code (usually 9 as 7th digit) for immigrants.

To get the last 4 digits, easiest is to call the Swedish Tax Authority and ask, they are very helpful, since the personal identity number is public information

But what does it really mean to have your identity stolen, or hijacked as more often referred to in Swedish popular press? So here is how a Swedish identity could be stolen starting with a name to find the personal id number:

  1. Google the name of the victim, from here the fraudster will find date of birth (ratsit.sebirthdays.se), home address on a cute map, and other information (hitta.se);
  2. To get the last 4 digits the fraudster can ring up the Swedish Tax Authority direct and ask them, it is after all public information, and they are very helpful.
  3. Now the identity thief can go online and order a fraudulent ID card and/or a fake passport using the stolen personal id number. Hence since the personal number is a vital specific identification number to identify an individual is correct but the photo on the ID card or passport is that of the fraudster.
  4. He/she is ready to go on a spending spree at the victim’s expense! If they have no access to the victim’s credit/debit card, they could buy electronic goods on credit with a small down payment (avbetalning). The victim, get to foot the rest of the bill.
  5. A shop assistant when checking the id card, would feel that the details are correct and process the transaction.

And this is just the beginning of the nightmare for the victim. The fraudster can take out additional loans in their name, buy a car, a house, and default on payments in their name. The victim will be blacklisted by credit companies. Cleaning up this mess will not be easy. It will take a lot of energy and time to clear their name. The victim can forget about trying to get a loan or any type of credit at this time.

I guess after all this excitement that the victim will want to remove their personal information from the public domain? Sorry but there is more bad news. It’s quite impossible! Swedish residents have no legal right to protect their personal identifying information in Sweden. In fact credit reporting agencies have permission from the Data Inspectorate (Datainspektionen) to publish your personal information. They get something called an utgivningsbevis that gives them exemption from Personalupplysningslagen (PuL), that costs a couple of thousand Swedish kronor. On the date of this publication there were 913 companies that have been granted an utgivningsbevis. So in Sweden the Personal Identifying Information (PII) of data subjects is public information. Although the data subjects do have some say over the integrity of PII that is published, this is driven by the Kreditupplysningslagen. The Credit Information Act (Kreditupplysningslagen) are required to make changes in their database to correct faults, but the data subjects have no right to be omitted from the register unless they have a ‘protected identity’. Hence all residents in Sweden who are over the age of 16 are included and public.

All of this is despite the Personal Data Law (PuL) that is here to protect personal information of Swedish residents and citizens. In fact in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).

So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from the identities of Swedish subjects. It is a Mad Hatters Party for 931 companies abusing this right at the cost of Swedish citizens/residents!

As a Swedish citizen, I have nothing against companies making money from identities so long as:

  1. I’ve given active consent to this;
  2. I have the choice to have it removed;
  3. and if I have permitted my personal information to be used commercially, I should also be a beneficiary from sharing my personal information.

To summarise. If you are a Swedish citizen/resident your personal information is public information and is being exploited commercially. This exploitation makes you vulnerable to identity theft. You have no control over who publishes your personal information.

It is about time this problem was fixed don’t you think?

Further reading

http://www.datainspektionen.se/press/nyheter/2014/datainspektionen-kan-inte-ingripa-mot-sajt-som-hanger-ut-domda/

http://www.riksdagen.se/en/How-the-Riksdag-works/Democracy/The-Constitution/The-Fundamental-Law-on-Freedom-of-Expression/

http://www.radioochtv.se/en/Licensing/Internet/

http://sverigesradio.se/sida/avsnitt/404038?programid=2778&playchannel=132

IDripping Tap love what UK is doing to keep alive the data retention directive that died an untimely death recently with DRIP 😉

Some debate that it ‘extends’ the powers of RIPA. UK government officials claim it is just to cover the loss of the EU data retention requirements temporarily until they think of some new that is more manageable. Read what Panopticon blog is saying and decide for yourself?

Love it… a mad-hatters party and Google invited themselves 😉

mad_hatter_teaparty[1]

I took this from Panopticon Blog concerning the outcome of the Google order. Now what if the rights of the Swedish citizen was to be escalated to the EU courts, would the outcome be the same?

“The first question for the CJEU was whether Google was a data controller for the purposes of Directive 95/46. Going against the opinion of the Advocate General (see earlier post), the Court held that the collation, retrieval, storage, organisation and disclosure of data undertaken by a search engine when a search is performed amounted to “processing” within the meaning of the Directive; and that as Google determined the purpose and means of that processing, it was indeed the controller. This is so regardless of the fact that such data is already published on the internet and is not altered by Google in any way.

The Court went on to find that the activity of search engines makes it easy for any internet user to obtain a structured overview of the information available about an individual thereby enabling them to establish a detailed profile of that person involving a vast number of aspects of his private life. This entails a significant interference with rights to privacy and to data protection, which could not be justified by the economic interests of the search engine operator. In a further remark that will send shockwaves through many commercial operators providing search services, it was said that as a “general rule” the data subject’s rights in this regard will override “not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name” (at paras 81 and 97).”

Next Page »